top of page

Signal Users Targeted in Coordinated Phishing Campaign to Steal Backup Recovery Keys

  • May 30
  • 3 min read

Key Findings


  • Attackers are conducting a coordinated phishing campaign targeting Signal users by impersonating Signal Support via text messages

  • The campaign specifically seeks backup recovery keys, which decrypt entire message archives stored on Signal's servers, not just future communications

  • Journalists, activists, and human rights workers are confirmed targets, with reports of campaigns against Chinese activists and German officials

  • A 64-character recovery key grants access to all encrypted message history if attackers can compromise the account

  • German prosecutors are investigating suspected state-sponsored Russian phishing operations that targeted politicians, ministers, military personnel, and diplomats, with hundreds of accounts potentially affected

  • The attack is simple to execute and easily reproducible, raising concerns about wider adoption once proven effective


Background


Signal's Secure Backups feature stores encrypted archives of user conversations on Signal's servers. The recovery key is the only mechanism that decrypts these archives. Critically, this key never leaves a user's device and Signal itself never possesses it. The phishing campaign exploits this architecture by deceiving users into voluntarily sharing their recovery keys through fake support messages.


What makes this attack particularly dangerous compared to typical account takeovers is scope. A standard account compromise gives attackers access to future messages only. With a recovery key, attackers gain access to the complete message history stored in backups, potentially years of sensitive communications.


Attack Mechanics


The phishing messages appear to come from Signal Support with a visible "Name not verified" label that users often miss. The messages create urgency by warning of imminent data loss due to sync issues and request users to locate their recovery key in Settings, copy it, and paste it directly into the chat.


The simplicity of the technique is both the strength and the weakness. No sophisticated technical exploitation is required. Victims are social engineered into revealing the key themselves. However, this simplicity means the method can be easily replicated and scaled by other threat actors once proven successful.


High-Value Targets


Journalists, activists, lawyers, and human rights workers represent premium targets for this type of attack. Unlike individuals with mundane message histories, these professionals often have years of sensitive communications involving sources, legal strategies, political discussions, and coordination of sensitive activities.


Reports indicate the campaign has already successfully targeted Chinese activists and German officials. In Germany, the operation targeted high-profile figures including politicians like Julia Klöckner, military personnel, diplomats, and journalists. One notable case involved a phishing attempt embedded in what appeared to be a legitimate group chat from a political party.


State-Sponsored Operations


German prosecutors launched a formal investigation into the phishing campaign targeting German officials, with early evidence suggesting state-sponsored involvement. The operation attempted to compromise Chancellor Friedrich Merz's account, though that specific attempt reportedly failed. Authorities estimate hundreds of accounts may have been affected by the coordinated effort.


The attacks used multiple social engineering vectors including messages impersonating official Signal support, requests for authentication codes, malicious QR codes, and crafted links designed to appear legitimate.


Defensive Measures


Signal will never contact users first or request recovery keys, registration codes, or PINs. Users should treat unsolicited support messages as suspicious and avoid clicking links in account-warning messages.


Protective steps include enabling registration locks, PIN protection, and device-change alerts. Using disappearing messages reduces exposure if an account is compromised. Scam-detection tools can help identify phishing attempts before damage occurs. Users should never share verification codes or authentication secrets under any circumstances.


Future Outlook


While current attacks appear targeted, cybersecurity researchers warn that targeted campaigns rarely remain limited once the technique proves effective. The straightforward mechanics make this attack easily reproducible by criminal and state-sponsored groups alike. If adoption spreads beyond current operators, the campaign could evolve into a widespread threat affecting millions of users across multiple countries and demographics.


Sources


  • https://securityaffairs.com/192899/security/signal-phishing-campaign-targets-journalists-and-activists-to-steal-backup-recovery-keys.html

  • https://aiweekly.co/alerts/signal-backup-keys-stolen-in-coordinated-phishing-wave

  • https://mezha.net/eng/bukvy/a1aa92eb_hackers_target_signal

  • https://cyberinsider.com/signal-users-targeted-by-attackers-seeking-backup-recovery-keys

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page